Why Every Company Needs A Written IT Policy And What It Should Include
See this article as it originally appeared in the Hartford Business Journal.
Almost every company has a set of policies and procedures in place, whether for employee conduct, safety, attendance or human resources functions, to name a few.
But if a company doesn’t have an IT policy in place, it’s missing an important first step in improving productivity and guarding against cybersecurity threats.
An effective IT policy establishes a foundational understanding for all employees on what is allowed or prohibited on the company’s systems.
This helps protect the company from potential litigation in the event of employee termination. It also improves productivity by setting standards for the most common regular IT functions. Plus, for most cybersecurity frameworks, it’s a necessary requirement for maintaining compliance.
Just like all corporate policies that apply to everyone, your IT policy needs to be clearly written out and easy for non-technical employees to comprehend.
It must be able to be consistently applied to all employees, ranging from the newest hires to the highest executives. And it should be kept in a location accessible to every employee for easy reference.
If you’re just starting to create your company’s IT policy and don’t know where to begin, here are some topics to consider.
Local access and remote access
It’s standard practice for every employee who needs to use a company computer to have their own user ID and password.
A well-written access control policy will address who, if anyone, must approve the creation of an account for an employee.
It also lays out the naming conventions used for creating user IDs, how long passwords must be and how often they must be changed, and what approvals are required for an employee to receive elevated or privileged forms of access.
The issue of remote access is more important now than it’s ever been. Is access allowed for all employees at all times, or are there limitations based on personnel, system functions or time frames? What company resources, such as a virtual private network (VPN) gateway, must be used in performing remote access?
Another important aspect of remote access is whether employees are mandated to use company-issued hardware or, in certain limited circumstances, if they are allowed to use their personal devices for corporate network access.
Software and application management
It’s often said in cybersecurity that you can’t protect what you can’t see, and this applies just as much to software as it does to hardware.
To be able to maintain inventories of software running on their networks, both for licensing and security purposes, companies need to establish policies on which baseline software is, by default, installed on all systems and how products can be added to that baseline.
Since most users on the corporate network will not have permission to install software, your IT policy should also consider who must approve requests from users for installation of new software products on the network and how these approvals are documented.
When thinking about software policy, don’t forget about rules for apps if you also have mobile devices under company control. Be sure to identify in your policy if certain app stores or marketplaces are company-approved, including if your company has its own centrally managed app marketplace.
There are always exceptions
You can have a well-written policy that covers everything clearly and consistently, but every once in a while something unexpected comes up.
What if your maintenance policy simply doesn’t work for a system that, for a certain period of time, can’t take time off for updates? Here’s where your policy on exceptions comes into play.
Almost every rule has some good reason to be broken. Making sure your company has a policy on how users should submit requests for exceptions, and who approves or denies these requests, is essential to ensuring your company effectively balances cybersecurity and operational needs.